Sunday, January 19, 2014

[Exploit] ASUS RT-N56U Remote Root Shell Buffer Overflow

From its hardened state, the RT-N56U runs an HTTP server on port TCP/80. This HTTP server is vulnerable to multiple buffer overflow attacks during the command processing routine (CVE-2013-6343) of the media application configuration and installation process. In the same fashion that Broadcom ACSD was exploited, an attacker can connect to the HTTPD service and submit a command string that is larger than the program’s fixed length buffer. Upon doing so, the attacker will have corrupted the HTTP servers call stack and have altered the execution flow of the program.

The RT-N56U exploit utilizes return oriented programming (ROP) to circumvent stack randomization, but does not need to cause a context switch by calling the sleep() function. At the time of code execution, the RT-N56U has already performed a context switch and written the d-cache (data cache) back to RAM. Because of this condition, the RT-N56U exploit utilizes a call to sched_yield(), which relinquishes the CPU to a ready to run process (if one exists) with a greater than or equal to execution priority of the HTTPD process.

Finally, I direct the program’s execution to custom shellcode residing on the programs call-stack, which when executed, connects back to the attackers machine on TCP/31337 and spawns a root system shell.